[ad_1]
“Six years from now, will all of them be prosecuted?” she asked.
At the very least, security executives are worried about being on the hook for potential legal bills. Charles Blauner, a retired CISO and cybersecurity adviser, said security chiefs had taken a strong interest in directors and officers insurance, which covers the legal costs of executives who are sued as a result of their work with a company.
“A lot of sitting chief information security officers are going to their bosses and asking if they have D.&O. insurance and, if not, can I have it?” Mr. Blauner said. “They are saying, ‘If I’m going to be held liable for something our company does, I want legal coverage.’”
After being charged, Mr. Sullivan sued Uber to force it to pay his legal fees in the criminal case, and they reached a private settlement.
Some security officers are sympathetic to how Mr. Sullivan handled the security incident at the center of the criminal case, while others say it was clearly inappropriate. In 2016, according to a criminal complaint, Mr. Sullivan learned that hackers had secured access to the personal data of about 600,000 Uber drivers and some personal information associated with 57 million riders and drivers. Prosecutors accuse Mr. Sullivan of directing those responsible to the company’s bug bounty program, which Uber, like many companies, had set up as a financial incentive for third parties to report its security vulnerabilities.
Uber ultimately paid the hackers, two men in their 20s, $100,000 in Bitcoin and had them sign nondisclosure agreements, according to the criminal complaint. Uber did not disclose the incident to the public, nor did it inform the Federal Trade Commission, which was investigating the company for its privacy and security practices.
Source link
